More Info:

Ensure that HTTPS is enabled for the load balancer associated with your Amazon Elastic Beanstalk application environment in order to handle encrypted web traffic. By default, the load balancer handles unencrypted traffic requests (HTTP) through port 80. To enable HTTPS traffic over port 443, you must create and configure an HTTPS listener for the associated load balancer.

Risk Level

High

Address

Security

Compliance Standards

SOC2, GDPR, PCIDSS, NIST, HITRUST, NISTCSF

Remediation

Using Console

Sure, here are the step by step instructions to remediate the misconfiguration “Enforce HTTPS for Elastic Beanstalk Load Balancers” for AWS using AWS console:

  1. Log in to your AWS Management Console.
  2. Navigate to the Elastic Beanstalk service.
  3. Select the environment that you want to remediate.
  4. Click on the “Configuration” tab in the left-hand menu.
  5. Scroll down to the “Load Balancer” section and click on “Edit”.
  6. In the “Listeners” section, click on the “Add listener” button.
  7. Select “HTTPS” as the protocol and enter the appropriate port number (usually 443).
  8. Choose the SSL certificate that you want to use from the drop-down list.
  9. In the “Rules” section, click on the “Add rule” button.
  10. Choose “Redirect HTTP to HTTPS” from the drop-down list.
  11. Click on the “Apply” button to save the changes.
  12. Wait for the environment to update and the changes to take effect.

Once these steps are completed, your Elastic Beanstalk Load Balancer will enforce HTTPS and redirect all HTTP traffic to HTTPS.

Using CLI

To enforce HTTPS for Elastic Beanstalk Load Balancers in AWS, you can follow the below steps using AWS CLI:

Step 1: Open the AWS CLI on your local machine.

Step 2: Run the following command to update the Elastic Beanstalk environment to use HTTPS:

aws elasticbeanstalk update-environment --environment-name <your-environment-name> --option-settings Namespace=aws:elb:listener:443,OptionName=ListenerProtocol,Value=HTTPS --option-settings Namespace=aws:elb:listener:443,OptionName=SSLCertificateId,Value=<your-ssl-certificate-id>

Note: Replace <your-environment-name> with the name of your Elastic Beanstalk environment and <your-ssl-certificate-id> with the ID of your SSL certificate.

Step 3: Run the following command to verify that HTTPS is now enforced:

aws elasticbeanstalk describe-environment-resources --environment-name <your-environment-name> --query "EnvironmentResources.LoadBalancer.Url"

Note: Replace <your-environment-name> with the name of your Elastic Beanstalk environment.

This command will return the URL of the Elastic Beanstalk Load Balancer with HTTPS protocol.

By following the above steps, you can enforce HTTPS for Elastic Beanstalk Load Balancers in AWS using AWS CLI.

Using Python

To remediate the misconfiguration “Enforce HTTPS for Elastic Beanstalk Load Balancers” in AWS using Python, you can follow the below steps:

  1. Open the AWS Management Console and navigate to the Elastic Beanstalk environment that needs to be remediated.

  2. Click on the “Configuration” tab and then click on the “Load Balancer” section.

  3. Under the “Listeners” section, click on the “Edit” button.

  4. In the “Add listener” dialog box, select “HTTPS” from the “Protocol” dropdown menu.

  5. Select the SSL certificate that you want to use from the “SSL certificate ID” dropdown menu.

  6. Click on the “Add” button to add the HTTPS listener.

  7. Under the “Rules” section, click on the “Edit” button.

  8. In the “Add rule” dialog box, select “HTTPS” from the “Protocol” dropdown menu.

  9. In the “Path” field, enter ”/*“.

  10. In the “Redirect to” field, enter “https://#:#/#?#“.

  11. Click on the “Add” button to add the HTTPS redirect rule.

  12. Click on the “Apply” button to save the changes.

To automate the above steps using Python, you can use the AWS SDK for Python (Boto3). Here’s an example code snippet to enforce HTTPS for an Elastic Beanstalk Load Balancer:

import boto3

# Replace with your AWS access key ID and secret access key
aws_access_key_id = 'YOUR_AWS_ACCESS_KEY_ID'
aws_secret_access_key = 'YOUR_AWS_SECRET_ACCESS_KEY'

# Replace with the name of your Elastic Beanstalk environment
environment_name = 'YOUR_ELASTIC_BEANSTALK_ENVIRONMENT_NAME'

# Create an Elastic Beanstalk client
eb_client = boto3.client('elasticbeanstalk', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key)

# Get the Elastic Beanstalk environment details
environment = eb_client.describe_environments(EnvironmentNames=[environment_name])['Environments'][0]

# Get the Load Balancer ARN
load_balancer_arn = environment['LoadBalancers'][0]['Name']

# Create an Elastic Load Balancing client
elb_client = boto3.client('elbv2', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key)

# Create the HTTPS listener
elb_client.create_listener(
    LoadBalancerArn=load_balancer_arn,
    Protocol='HTTPS',
    Port=443,
    SslPolicy='ELBSecurityPolicy-2016-08',
    Certificates=[
        {
            'CertificateArn': 'YOUR_SSL_CERTIFICATE_ARN'
        }
    ]
)

# Create the HTTPS redirect rule
elb_client.create_rule(
    ListenerArn='YOUR_HTTPS_LISTENER_ARN',
    Conditions=[
        {
            'Field': 'path-pattern',
            'Values': [
                '/*'
            ]
        }
    ],
    Actions=[
        {
            'Type': 'redirect',
            'RedirectConfig': {
                'Protocol': 'HTTPS',
                'Port': '443',
                'StatusCode': 'HTTP_301',
                'Host': '#{host}',
                'Path': '/#{path}',
                'Query': '#{query}'
            }
        }
    ]
)

Note: Replace the placeholders in the code with your own values. Also, make sure that you have installed the Boto3 library before running the code.

Additional Reading: